Google: Security Keys Neutralized Employee Phishing

Discussion in 'privacy technology' started by mood, Jul 23, 2018.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    12,941
    Google: Security Keys Neutralized Employee Phishing
    July 23, 2018
    https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,645
    That is impressive. But then, I presume that their physical security is also pretty tight.

    But let's say that mine isn't. How hard would it be to brute force the physical key?

    Also, I'm guessing that such physical keys are well-enough isolated from devices that malware can't compromise them. Right?
     
  3. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    802
    Location:
    Member state of European Union
    You mean every 70k+ Google engineer around the world? Not, they aren't.
    Of course they use also role-based access control principle of least privilege.
     
    Last edited: Jul 24, 2018
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    10,971
    Location:
    Here
    Google announces its own security key for stronger logins
    https://www.theverge.com/2018/7/25/17613332/google-titan-security-key-login-2fa
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,136
    Nobody short of the NSA on steroids is even going to dream about breaking into a U2F element remotely. NO known way to even get close! I have never slept better at night. After transitioning to U2F exclusively for my most important "true name" accounts I have lost all concerns for Phising, MITM, etc..... Yubikeys (the industry leader for general population) cannot be manipulated at all. One of Yubi's strictest guidelines is that you can't EVER change the firmware even with their assistance. It comes from the "factory" with SET firmware and its not going to get changed.

    If you consider security as a pipe, remember it has two ends. Assuming the user keeps their end of the pipe secure, now the attacker still can consider trying to break in from the other end, which is the website server. If a site runs poor OPSec and the server end is breached it won't really matter if YOUR end is solid.
     
    Last edited: Jul 25, 2018
  6. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,704
    Location:
    UK
    If we're talking the U2F key on its own (not the "normal" Yubikey which have richer functionality and can be reprogrammed), then the api is extremely simple and I suspect, extremely hard to attack remotely UNLESS there are undocumented features built in by the vendor and known to the attacker.

    Which leads to the usual conclusion: an open source firmware project with suitable open hardware support is the ticket, if you're not willing to trust Yubico.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,645
    OK, thanks :)

    But what if an adversary has the key? I get that at least some will nuke after too many failures. But what about physical hacking? Do they have the sorts of hardware protection that military-grade crypto modules use? Such as embedded wire grids?
     
  8. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,704
    Location:
    UK
    My understanding of the physical security of the classic Yubikey is that it was nothing special, with no military grade crypto modules or self-destruct or anything. So, you'd have to assume that if physically owned, the root certificate/secret would become vulnerable (the U2F Yubikey generates certificates on the fly using the source url as part of the derivation which is why it doesn't need to generate certificates per site and store it every time).

    I'm personally less concerned about that because that's nation-state stuff and if they have your U2F key, they probably have you by other things you have.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    8,645
    Yeah, I guess. But I love to play with stuff :)
     
  10. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    802
    Location:
    Member state of European Union
  11. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    12,941
    You can buy Google's $50 set of Titan security keys now
    Two keys to success... or at least better two-factor authentication.
    August 30, 2018

    https://www.cnet.com/news/you-can-buy-googles-50-set-of-security-keys-now/
     
  12. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,136

    Hopefully they will quickly enable the NFC capabilities for better sales. I use NFC for Google Pay so its on already. My Yubi's work perfectly for NFC and U2F on my accounts. Not having NFC would be "game over" for me. I don't run with Bluetooth on. Others may differ, but I am who I am. I am curious if they have tried these against Android PIE, which I have running in full developer mode.
     
  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    10,971
    Location:
    Here
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    12,941
    Google Titan Security Key review: An expensive, easy-to-use security key
    October 6, 2018
    https://mashable.com/review/google-titan-security-key/?europe=true&utm_cid=hp-h-1
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    10,971
    Location:
    Here
    Titan Security Key no longer available from the Google Store
    https://www.androidpolice.com/2019/...ey-no-longer-available-from-the-google-store/
     
  16. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,704
    Location:
    UK
    I think the Titan stuff was always an interim solution, hopefully there will be adoption of Fido2 and Webauthn. If that works ok that is, and there's decent adoption levels which hasn't happened for 1st gen U2F (which only ever worked with Chrome).
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    12,941
    Google Gives Free Security Keys to Activists, But Not if You’re in Iran or Syria
    April 26, 2019
    https://motherboard.vice.com/en_us/...keys-iran-syria-cuba-crimea-sudan-north-korea
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    71,205
    Location:
    Texas
    Google recalls its Bluetooth Titan Security Keys because of a security bug
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.